Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims 
in the application: 

Listing of Claims: 

1 . (Currently Amended) A method of re-authenticating and protecting 
communication security wh e n us i ng a k e y le as e to r e- auth e nt i cat e after a 
primary auth e nt i cation protoco l ha s b ee n p e rform e d , comprising the steps of: 

a) performing a secondary authentication protocol between a client 
electronic system (client) and a network access point electronic system (AP) 
using said a key lease generated bv performance of a primary authentication 
protocol, wherein said kev lease includes a key lease period for indicating a 
length of time in which said key lease is valid for using said secondary 
authentication protocol instead of said primary authentication protocol : and 

b) if said secondary authentication protocol is successful, generating 
a session encryption key for encrypting communication traffic between said 
client and said AP. 

2. (Original) A method as recited in Claim 1 wherein said step a) includes 
the steps of: 

transmitting said key lease from said client to said AP; 

generating a first random number associated with said client and a 

second random number associated with said AP, wherein said key lease 
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includes an encryption key for use in said secondary authentication protocol; 
and 

transmitting said first random number to said AP and said second random 
number to said client. 

3. (Original) A method as recited in Claim 2 wherein said step b) 
includes: 

using said encryption key, said first random number, said second random 
number, and a hash function to determine said session encryption key. 

4. (Original) A method as recited in Claim 3 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

5. (Original) A method as recited in Claim 3 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

6. (Original) A method as recited in Claim 2 wherein said step b) 
includes: 
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generating a first session encryption key for encrypting communication 
traffic from said client to said AP; and 

generating a second session encryption key for encrypting 
communication traffic from said AP to said client. 

7. (Original) A method as recited in Claim 6 wherein said step b) 
includes: 

using said encryption key, said first random number, said second random 
number, a first media access control (MAC) address associated with said client, 
a second media access control (MAC) address associated with said AP, and a 
hash function to determine said first and second session encryption keys. 

8. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

9. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
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first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

10. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

1 1 . (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

12. (Currently Amended) An apparatus for re-authenticating and 
protecting communication security uoinq a k e y le a se aftor a pr i mary 
authont i cation protocol has b ee n p e rform e d , comprising: 
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a client electronic system (client) configured to perform a secondary 
authentication protocol with a network access point electronic system (AP) using 
said a key lease generated bv performance of a primary authen tication protocol. 
wherein said kev lease includes a kev lease period for indica ting a length of time 
in which said kev lease is valid for using said secondary au thentication protocol 
instead of said primary authentication protocol , wherein if said secondary 
authentication protocol is successful said client is configured to generate a 
session encryption key for encrypting communication traffic between said client 
and said AP. 

13. (Original) An apparatus as recited in Claim 12 wherein said client is 
configured to transmit said key lease to said AP, wherein said client is 
configured to generate a first random number, wherein said key lease includes 
an encryption key for use in said secondary authentication protocol, wherein 
said client is configured to transmit said first random number to said AP and to 
receive a second random number from said AP. 

14. (Original) An apparatus as recited in Claim 13 wherein said client is 
configured to use said encryption key, said first random number, said second 
random number, and a hash function to determine said session encryption key. 

15. (Original) An apparatus as recited in Claim 14 wherein said client is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
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concatenation of said first random number and said second random number to 
determine said session encryption key. 

16. (Original) An apparatus as recited in Claim 14 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

17. (Original) An apparatus as recited in Claim 13 wherein said client is 
configured to generate a first session encryption key for encrypting 
communication traffic from said client to said AP, and wherein said client is 
configured to generate a second session encryption key for encrypting 
communication traffic from said AP to said client. 

18. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to use said encryption key, said first random number, said second 
random number, a first media access control (MAC) address associated with 
said client, a second media access control (MAC) address associated with said 
AP, and a hash function to determine said first and second session encryption 
keys. 

19. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
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first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

20. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

21. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 



22. (Original)An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 
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23. (Currently Amended) An apparatus for re-authenticating and 
protecting communication security uo i ng a kov l e as e after a primary 
auth e ntication protocol ha s b e en p e rform e d , comprising: 

a network access point electronic system (AP) configured to perform a 
secondary authentication protocol with a client electronic system (client) using 
said a key lease generated bv performance of a primary authentication protocol, 
wherein said kev lease includes a kev lease period for indicating a length of time 
in which said key lease is valid for using said secondary authentication protocol 
instead of said primary authentication protocol , wherein if said secondary 
authentication protocol is successful said AP is configured to generate a session 
encryption key for encrypting communication traffic between said client and said 
AP. 

24. (Original) An apparatus as recited in Claim 23 wherein said AP is 
configured to receive said key lease and a first random number from said client, 
wherein said key lease includes an encryption key for use in said secondary 
authentication protocol, wherein said AP is configured to generate a second 
random number and to transmit said second random number to said client. 

25. (Original) An apparatus as recited in Claim 24 wherein said AP is 
configured to use said encryption key, said first random number, said second 
random number, and a hash function to determine said session encryption key. 
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26. (Original) An apparatus as recited in Claim 25 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

27. (Original) An apparatus as recited in Claim 25 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

28. (Original) An apparatus as recited in Claim 24 wherein said AP is 
configured to generate a first session encryption key for encrypting 
communication traffic from said client to said AP, and wherein said AP is 
configured to generate a second session encryption key for encrypting 
communication traffic from said AP to said client. 

29. (Original) An apparatus as recited in Claim 28 wherein said AP is 
configured to use said encryption key, said first random number, said second 
random number, a first media access control (MAC) address associated with 
said client, a second media access control (MAC) address associated with said 
AP, and a hash function to determine said first and second session encryption 
keys. 
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30. (Original) An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

31. (Original) An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

32. (Original) An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

33. (Original) An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
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second media access control (MAC) address associated with said AP, and said 
first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

34. (Currently Amended) A method of authenticating a client electronic 
system (client) to a l low aocoos to a n e twork , comprising the steps of: 

a) in response to a first request to authenticate, performing a primary 
authentication protocol between said client and a first network access point 
electronic system (first AP) to allow access to a network ; 

b) if said primary authentication protocol is successful, generating a 
key lease, wherein said key lease includes context information and a kev lease 
period for indicating a length of time in which said key lease is valid for using a 
secondary authentication protocol instead of said primary authentication 
protocol ; 

c) transmitting said key lease to said client; and 

d) in response to a second request to authenticate, performing a said 
secondary authentication protocol between said client and a second network 
access point electronic system (second AP) using said key lease. 

35. (Original) A method as recited in Claim 34 further comprising the step 

of: 

e) if said secondary authentication is successful, using said context 
information of said lease key to control access of said client to said network. 
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36. (Original) A method as recited in Claim 34 wherein said context 
information includes information established in said primary authentication 
protocol. 

37. (Original) A method as recited in Claim 34 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 

38. (Currently Amended) A method as recited in Claim 34 wherein said 
key lease further includes a first identifier associated with said client, a first 
encryption key associated with said primary authentication protocol, a second 
encryption key for use in said secondary authentication protocol, a key le a se 
poriod for ind i cat i ng a l ongth of t i mo i n which sa i d k e y l oaco ic valid, integrity 
function data for determining an unauthorized change to a first portion of said 
key lease, and a second identifier associated with a particular network access 
point electronic system group of a plurality of network access point electronic 
system groups. 

39. (Original) A method as recited in Claim 38 wherein said first portion 
includes said first identifier, said first encryption key, said second encryption 
key, said key lease period, and said context information. 

40. (Original) A method as recited in Claim 38 wherein a second portion of 
said key lease is encrypted using a third encryption key. 
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41. (Original) A method as recited in Claim 40 wherein said second 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, said context information, and said integrity 
function data. 

42. (Original) A method as recited in Claim 40 wherein said step b) 
includes: 

b1 ) transmitting said first identifier and said key lease to said second 

AP; 

b2) if said second AP is associated with said second identifier of said 
key lease, retrieving said third encryption key corresponding to said second 
identifier; and 

b3) decrypting said second portion of said key lease using said 
retrieved third encryption key. 

43. (Original) A method as recited in Claim 42 wherein said step b) further 
includes: 

b4) determining whether said first identifier transmitted by said client 
matches said first identifier decrypted from said key lease; 

b5) determining whether said integrity function data decrypted from 
said key lease matches an integrity function performed on said first portion of 
said key lease; 

b6) determining whether said key lease period has not expired; and 
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b7) if valid determinations are made in said steps b4) to b6), initiating 
said secondary authentication protocol between said client and said second AF 



44. (Original) A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on symmetric encryption. 

45. (Original) A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a one-way hash function message authentication code (HMAC) 
implementation. 

46. (Original) A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a keyed message authentication code implementation. 

47. (Currently Amended) An apparatus for performing an authentication 
protocol to a l low acc occ to a n e twork , comprising: 

a client electronic system (client) configured to perform a primary 
authentication protocol with a first network access point electronic system (first 
AP) to allow access to a network in response to a first request to authenticate, 
wherein said client is configured to receive a key lease if said primary 
authentication protocol is successful, wherein said key lease includes context 
information and a kev lease period for indicating a length of time in which said 
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key lease is valid for using a se n ary authentication protocol instead of said 
primary authentication protocol , and wherein said client is configured to perform 
a sajd secondary authentication protocol with a second network access point 
electronic system (second AP) using said key lease in response to a second 
request to authenticate. 

48. (Original) An apparatus as recited in Claim 47 wherein if said 
secondary authentication is successful, said second AP uses said context 
information of said lease key to control access of said client to said network. 

49. (Original) An apparatus as recited in Claim 47 wherein said context 
information includes information established in said primary authentication 
protocol. 

50. (Original) An apparatus as recited in Claim 47 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 

51 . (Currently Amended) An apparatus as recited in Claim 47 wherein 
said key lease further includes a first identifier associated with said client, a first 
encryption key associated with said primary authentication protocol, a second 
encryption key for use in said secondary authentication protocol, a koy l e as e 
po riod for ind ic at i ng n l™g* h nft i mn i n ca i d kov loaco i s va l id - inte 9nty 
function data for determining an unauthorized change to a first portion of said 
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key lease, and a second identifier associated with a particular network access 
point electronic system group of a plurality of network access point electronic 
system groups. 

52. (Original) An apparatus as recited in Claim 51 wherein said first 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, and said context information. 

53. (Original) An apparatus as recited in Claim 51 wherein a second 
portion of said key lease is encrypted using a third encryption key. 

54. (Original) An apparatus as recited in Claim 53 wherein said second 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, said context information, and said integrity 
function data. 

55. (Original) An apparatus as recited in Claim 53 wherein said client is 
configured to transmit said first identifier and said key lease to said second AP, 
wherein said second AP retrieves said third encryption key corresponding to 
said second identifier if said second AP is associated with said second identifier 
of said key lease, and wherein said second AP decrypts said second portion of 
said key lease using said retrieved third encryption key. 
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56. (Original) An apparatus as recited in Claim 55 wherein said second 
AP determines whether said first identifier transmitted by said client matches 
said first identifier decrypted from said key lease, determines whether said 
integrity function data decrypted from said key lease matches an integrity 
function performed on said first portion of said key lease, and determines 
whether said key lease period has not expired, and wherein if verification of said 
first identifier, said integrity function data, and said key lease period is 
successful, said second AP initiates said secondary authentication protocol with 
said client. 

57. (Original) An apparatus as recited in Claim 47 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on symmetric encryption. 

58. (Original) An apparatus as recited in Claim 47 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a one-way hash function message authentication code (HMAC) 
implementation. 

59. (Original) An apparatus as recited in Claim 47 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a keyed message authentication code implementation. 
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60. (Currently Amended) An apparatus for performing an authentication 
protocol to a ll ow accocG to a notwork , comprising: 

a first network access point electronic system (first AP) configured to 
perform a primary authentication protocol with a client electronic system (client) 
to allow access to a network in response to a first request to authenticate, 
wherein said first AP is configured to generate a key lease and transmit said key 
lease to said client if said primary authentication protocol is successful, wherein 
said key lease includes context information and a kev lease period for indicating 
a length of time in which said kev lease is valid for using a secondary 
authentication protocol instead of said p rimary authentication protocol, and 

a second network access point electronic system (second AP) configured 
to perform a sajd secondary authentication protocol with said client using said 
key lease in response to a second request to authenticate. 

61 . (Original) An apparatus as recited in Claim 60 wherein if said 
secondary authentication is successful, said second AP uses said context 
information of said lease key to control access of said client to said network. 

62. (Original) An apparatus as recited in Claim 60 wherein said context 
information includes information established in said primary authentication 
protocol. 
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63. (Original) An apparatus as recited in Claim 60 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 

64. (Currently Amended) An apparatus as recited in Claim 60 wherein 
said key lease further includes a first identifier associated with said client, a first 
encryption key associated with said primary authentication protocol, a second 
encryption key for use in said secondary authentication protocol, a koy l e a se 
por i od for i nd i cating a l o ngth of timo i n wh i ch c a i d k e y l o os e \6 val i d, integrity 
function data for determining an unauthorized change to a first portion of said 
key lease, and a second identifier associated with a particular network access 
point electronic system group of a plurality of network access point electronic 
system groups. 

65. (Original) An apparatus as recited in Claim 64 wherein said first 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, and said context information. 

66. (Original) An apparatus as recited in Claim 64 wherein a second 
portion of said key lease is encrypted using a third encryption key. 

67. (Original) An apparatus as recited in Claim 66 wherein said second 
portion includes said first identifier, said first encryption key, said second 
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encryption key, said key lease period, said context information, and said integrity 
function data. 



68. (Original)An apparatus as recited in Claim 66 wherein said second 
AP is configured to receive said first identifier and said key lease from said 
client, wherein said second AP is configured to retrieve said third encryption key 
corresponding to said second identifier if said second AP is associated with said 
second identifier of said key lease, and wherein said second AP is configured to 
decrypt said second portion of said key lease using said retrieved third 
encryption key. 

69. (Original) An apparatus as recited in Claim 68 wherein said second 
AP is configured to determine whether said first identifier transmitted by said 
client matches said first identifier decrypted from said key lease, to determine 
whether said integrity function data decrypted from said key lease matches an 
integrity function performed on said first portion of said key lease, and to 
determine whether said key lease period has not expired, and wherein if 
verification of said first identifier, said integrity function data, and said key lease 
period is successful, said second AP is configured to initiate said secondary 
authentication protocol with said client. 

70. (Original) An apparatus as recited in Claim 60 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on symmetric encryption. 
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71. (Original) An apparatus as recited in Claim 60 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a one-way hash function message authentication code (HMAC) 
implementation. 

72. (Original) An apparatus as recited in Claim 60 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol based 
on a keyed message authentication code implementation. 
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